b'                                                     OFFICE OF INSPECTOR GENERAL\n                                                                               MEMORANDUM\n\n\n\n\nDATE:           September 5, 2001\n\nTO:             Chairman\n\nFROM:           Inspector General\n\nSUBJECT:        Government Information Security Reform Act Report\n\n\nThe Office of Inspector General (OIG) has completed an evaluation of the Commission\xe2\x80\x99s\nInformation Security program in accordance with the Government Information Security Reform\nAct (Security Act). The Security Act requires that Inspectors General, or independent evaluators\nthey choose, perform an annual evaluation of each agency\xe2\x80\x99s information security program and\npractices. I have attached a copy of out report, entitled FY 2001 Government Information\nSecurity Reform Act Evaluation,\xe2\x80\x9d summarizing the results of our evaluation of the\nCommission\xe2\x80\x99s Information Security program.\n\nIn accordance with guidelines published by the Office of Management and Budget (OMB), the\nOIG report consists of two sections: (1) an executive summary, and (2) the independent\nevaluation. The executive summary section provides a brief background of the Security Act and\nthe purpose of the evaluation, evaluation objectives and scope, and the results of the evaluation.\nThe independent evaluation section provides a brief summary of the evaluation and provides\nOIG responses to specific questions required by OMB reporting instructions1. Our report has\nbeen developed for incorporation into one document with the Security Act report produced by\nthe Chief Information Officer (CIO). This combined report is required to be submitted to OMB\nby September 10, 2001.\n\nAs a result of the independent evaluation, we have concluded that the Commission has a\ngenerally effective information security program with acceptable practices for managing and\nsafeguarding the Federal Communications Commission\xe2\x80\x99s (FCC\xe2\x80\x99s) information technology\n\n\n1   Office of Management and Budget (OMB) Memorandum for the Heads of Executive Department and\n    Agencies (Memorandum No. M-01-24) entitled \xe2\x80\x9cReporting Instructions for the Government Information\n    Security Reform Act\xe2\x80\x9d and dated June 22, 2001.\n\x0cassets. However, during the evaluation, we identified areas for improvement in the FCC\xe2\x80\x99s\ninformation security management, operational and technical controls. We are addressing these\nissues with FCC management in a separate Special Review Report.\n\nIf you have any questions, please contact me at (202) 418-0476.\n\n\n\n\n                                     H. Walker Feaster III\n\nAttachment\n\ncc:    Chief of Staff\n       Managing Director\n       Chief Information Officer\n       AMD-PERM\n\x0cFederal Communications Commission\n     Office of Inspector General\n\n\n\n\n  FY 2001 Government Information Security\n           Reform Act Evaluation\n\n             September 5, 2001\n\n             Prepared by KPMG, LLP\n\x0c                               EXECUTIVE SUMMARY\n\n\nBackground\n\nThe Government Information Security Reform Act (Security Act), passed last year as\npart of the FY 2001 Defense Authorization Act (P.L. 106-398), amended the Paperwork\nReduction Act of 1995 (PRA) by adding a new subchapter on information security. The\nSecurity Act focuses on the program management, implementation, and evaluation\naspects of the security of unclassified and national security systems. Generally, the\nSecurity Act codifies existing Office of Management and Budget (OMB) security\npolicies, Circular A-130, Appendix III, and reiterates security responsibilities outlined in\nthe Computer Security Act of 1987, the PRA, and the Clinger-Cohen Act of 1996. In\naddition, the Security Act requires annual agency program reviews and annual\nindependent evaluations for both unclassified and national security programs.\n\nA key provision of the Security Act requires that the Inspector General (IG) perform an\nannual independent evaluation of the information security program of the Federal\nCommunications Commission (FCC). The Security Act also permits the IG to select an\nindependent evaluator to perform this evaluation. The IG contracted with KPMG, LLP\nto perform the independent evaluation as required by the Security Act.\n\nThe purpose of this review was to perform the independent evaluation of FCC\xe2\x80\x99s\ninformation security program and practices to ensure proper management and security for\nthe information resources supporting the agency\xe2\x80\x99s operations and assets as required by\nthe act.\n\nTo perform this independent evaluation, we followed the guidance as described in OMB\nMemorandum M-01-08, entitled \xe2\x80\x9cGuidance on Implementing the Government\nInformation Security Reform Act\xe2\x80\x9d and dated January 16, 2001. Also quite relevant to\nthis evaluation was guidance from OMB Memorandum M-01-24, entitled \xe2\x80\x9cReporting on\nthe Government Information Security Reform Act\xe2\x80\x9d and dated June 22, 2001. OMB M-\n01-24 provided the topics/questions that were required to be addressed in the IG\xe2\x80\x99s\nindependent evaluation of the FCC\xe2\x80\x99s information security program and practices. The\nindependent evaluation, which includes the responses to topics/questions-2 \xe2\x80\x93 13, is\nattached\n\nThe fundamental mission of the Federal Communications Commission (FCC) is to\nimplement the Communications Act of 1934, as amended, in a manner that promotes\ncompetition, innovation, and deregulation in the communications industry and the\navailability of high quality communications services for all Americans. In order to\nachieve these objectives, the Commission must strive to stay on the cutting edge of\nchanges in technology, economics and law.\n\n\n\n\n                                              1\n\x0cAs stated in the Commission\xe2\x80\x99s FY 2002 Budget Estimate to Congress, the advent of\nInternet-based and other new technology driven communications services will continue to\nerode the traditional regulatory distinctions between different sectors of the\ncommunications industry. The FCC recognizes that their most immediate challenge is to\nintegrate the changing character of the industry into its core functions of 1) licensing; 2)\nconsumer protection; 3) enforcement; 4) promotion of competitive markets; and 5)\nspectrum management.\n\nIn the past few years, the FCC has streamlined its licensing procedures and implemented\nelectronic filing capability in 78 services, 72% of all licensing systems. At the end of\nFiscal Year 2000, 62% of all license applications were filed electronically. Additionally,\n93% of all applications were acted on within the FCC\xe2\x80\x99s speed of disposal goals.\nImplementation of these electronic licensing systems has led to improved processing time\nand to a significant decrease in the number of backlogged applications.\n\nIn Fiscal Year 2000, the FCC made its website more accessible to their Internet users.\nThe FCC received 320 million \xe2\x80\x9chits,\xe2\x80\x9d making the FCC one of the most popular\ngovernment online sites. The FCC\xe2\x80\x99s consumer information centers received more than\n789,000 consumer inquiries on such hot topics as cramming, slamming and spamming.\n\nTo this end, supporting specific information technology initiatives requires an effective\ninformation security program that will safeguard FCC\xe2\x80\x99s computer-based assets from\ntechnological vulnerabilities, or from disruption of services. To support today\xe2\x80\x99s\ninformation technology infrastructure, effective management, operational and technical\ncontrols are essential. The FCC\xe2\x80\x99s method of implementing the requirements of the\nSecurity Act is focused on ensuring that programs and policies are in compliance with\nOMB A-130 requirements and in association with National Institute of Standards and\nTechnology (NIST).\n\nEvaluation Objective\n\nThe objective of this independent evaluation was to examine the Commission\xe2\x80\x99s security\nprogram and practices. The examination included testing the effectiveness of security\ncontrols for an appropriate subset of the Commission\xe2\x80\x99s systems. The evaluation\nobjective also included a review of the Commission\xe2\x80\x99s security policies, security\narchitecture, business continuity, security capital planning, critical infrastructure, and\nsecurity program planning and management. The specific objectives of the evaluation\nwere to:\n\n\xe2\x80\xa2   Obtain an understanding of the Commission\xe2\x80\x99s Information Technology (IT)\n    infrastructure;\n\n\xe2\x80\xa2   Obtain an understanding of the Commission\xe2\x80\x99s information security program and\n    practices;\n\n\n\n\n                                             2\n\x0c\xe2\x80\xa2   Use the Security Act security assessment tool to evaluate the effectiveness of the\n    Commission\xe2\x80\x99s information security program and assess risk for each component of\n    the program. At a minimum, the assessment should include an identification and\n    ranking of the critical information security threats to the FCC IT infrastructure on a\n    risk vulnerability basis; and\n\n\xe2\x80\xa2   Prepare the annual submission in accordance with the reporting requirements\n    mandated under the Security Act for Fiscal Year 2001. In addition to preparing the\n    annual submission, provide a detailed report that will (1) identify and rank the critical\n    security risk factors and (2) contain observations and recommendations for\n    improvements, if any.\n\nEvaluation Scope\n\nThe evaluation approach consisted of reviewing documentation that included previous\nspecial reviews and audits, by conducting interviews, attending meetings, and by\nobservations.\n\nOur procedures were designed to comply with applicable auditing standards and\nguidelines. These included AICPA Professional Standards, Generally Accepted\nGovernment Auditing Standards (GAGAS) as well as GAO\xe2\x80\x99s Federal Information\nSystems Control Audit Methodology (FISCAM); however, this review was intended to\nbe a risk assessment and not a general controls review; FISCAM was used as appropriate\nto assess management, operational and technical controls.\n\nThe scope of the evaluation included the security infrastructure managed by the Office of\nManaging Director\xe2\x80\x99s Information Technology Center (ITC) and the Auctions Automation\nBranch of the Wireless Telecommunications Bureau (WTB). In addition, the scope\nincluded selecting an appropriate subset of the Commission\xe2\x80\x99s business applications. As\npart of our evaluation of the FCC\xe2\x80\x99s Computer Security Program, we selected the\nConsolidated Database System (CDBS) application for review. CDBS is a major\napplication operated by the Commission\xe2\x80\x99s Mass Media Bureau.\n\nThe evaluation methodology used was the NIST Self-Assessment Guide questionnaire\n(National Institute of Standards and Technology Systems (NIST) Self-Assessment Guide\nfor Information Technology Systems). The final NIST Self-Assessment Guide was not\navailable, therefore, the draft Self-Assessment Guide was used.\n\nOur observations are organized according to NIST control areas: management controls,\noperational controls, technical controls. Within each control area, specific control\nobjectives are addressed.\n\nManagement Controls - Management controls focus on the management of the IT\nsecurity system and the management of risk for a system. They are techniques and\nconcerns that are normally addressed by management. The specific management control\nobjectives addressed are:\n\n\n                                              3\n\x0c   \xe2\x80\xa2   Risk Management\n   \xe2\x80\xa2   Review of Security Controls\n   \xe2\x80\xa2   Life Cycle\n   \xe2\x80\xa2   Authorize Processing (Certification & Accreditation)\n   \xe2\x80\xa2   System Security Plan\n\nOperational Controls - The operational controls address security methods focusing on\nmechanisms primarily implemented and executed by people (as opposed to systems).\nThese controls are put in place to improve the security of a particular system (or group of\nsystems). They often require technical or specialized expertise and often rely upon\nmanagement activities as well as technical controls. The specific operational control\nobjectives addressed are:\n\n   \xe2\x80\xa2   Personnel Security\n   \xe2\x80\xa2   Physical and Environmental Protection\n   \xe2\x80\xa2   Production, Input/Output Controls\n   \xe2\x80\xa2   Contingency Planning\n   \xe2\x80\xa2   Hardware and System Software Maintenance\n   \xe2\x80\xa2   Data Integrity\n   \xe2\x80\xa2   Documentation\n   \xe2\x80\xa2   Security Awareness, Training and Education\n   \xe2\x80\xa2   Incident Response Capability\n\nTechnical Controls - Technical controls focus on security controls that the computer\nsystem executes. The controls can provide automated protection for unauthorized access\nor misuse, facilitate detection of security violations, and support security requirements for\napplications and data. The specific technical control objectives addressed are:\n\n   \xe2\x80\xa2   Identification and Authentication\n   \xe2\x80\xa2   Audit Trails\n   \xe2\x80\xa2   Logical Access Controls\n\nResults of the Independent Evaluation\n\nAs a result of the independent evaluation, we have concluded that the Commission has a\ngenerally effective information security program with acceptable practices for managing\nand safeguarding the FCC\xe2\x80\x99s information technology assets.\n\nDuring the evaluation, we identified in-place controls in key areas such as a current\ncomputer security program policy. An update to the current policy is already in\ncirculation for approval and it is planned that this policy will replace the current policy by\nNovember 2001. The revised computer security program policy, which is in draft, is\nindicative of how proactive the FCC is with keeping pace with technological challenges,\nchanges, demands, and innovations.\n\n\n                                              4\n\x0cThe FCC is diligent about synchronizing their procedures with OMB A-130 guidance.\nThe security plan templates that have been created for general support systems and major\napplications are designed in accordance with NIST guidance for developing security\nplans. The FCC has begun development of their security plans; however, an area for\nimprovement is to complete the security plans for all of the major applications.\n\nOn a monthly basis, the Computer Security Officer conducts Security Awareness\nTraining for all new users who are granted access to the FCC Network general support\nsystem. Also in place is a recently developed system development life cycle\nmethodology that was developed jointly with the Information Technology Center (ITC)\nand the Office of Inspector General (OIG).\n\nAn initiative demonstrated by the ITC was a site visit to J.P. Morgan/Chase Bank prior to\nallowing the processing of FCC data. The ITC group made an unannounced visit to the\nJ.P. Morgan office in New York to review the effectiveness of the bank\xe2\x80\x99s security\nposture. The visit proved successful and authorization for J.P. Morgan to handle\nprocessing for the FCC was awarded.\n\nLast year, the FCC conducted numerous computer security assessments. The\nassessments identified potential risks and provided countermeasures and safeguards to\nmitigate the risks identified. In addition, a risk assessment of the FCC Net and Auctions\nLAN general support systems was conducted.\n\nAlthough the FCC has several controls in place, areas for improvement in the\nmanagement, operational and technical control areas exist. To strengthen the agency\xe2\x80\x99s\nsecurity program and practices, a strategy and plan of action as prescribed by OMB M-\n01-24, Reporting Instructions for the Government Information Security Reform Act,\ntopic/question #14, should be developed with milestones that include completion dates,\nhow the agency plans to address control areas that need to be strengthened as identified\nthrough the independent evaluation, and should identify a strategy to overcome any\nobstacles that would affect addressing known weaknesses.\n\n\n\n\n                                             5\n\x0c                                                                               Page 1 of 24\n\n\n        Independent Evaluation of the FCC\xe2\x80\x99s Information Security Program\n\nThe Government Information Security Reform Act (Security Act) was passed last year as\npart of the FY 2001 Defense Authorization Act (P.L. 106-398). The Security Act focuses\non the program management, implementation, and evaluation aspects of the security of\nagency computer systems. The Security Act codifies existing Office of Management and\nBudget (OMB) security policies, Circular A-130, Appendix III, and reiterates security\nresponsibilities outlined in the Computer Security Act of 1987, the PRA, and the Clinger-\nCohen Act of 1996. An important provision of the Security Act requires the Inspector\nGeneral (IG) perform an annual independent evaluation of the information security\nprogram of the Federal Communications Commission (FCC). The Security Act also\npermits the IG to select an independent evaluator to perform this evaluation.\n\nThe purpose of this review was to perform the independent evaluation of FCC\xe2\x80\x99s\ninformation security program and practices to ensure proper management and security for\nthe information resources supporting the agency\xe2\x80\x99s operations and assets as required by\nthe act.\n\nThe objective of this independent evaluation was to examine the Commission\xe2\x80\x99s security\nprogram and practices. The examination included testing the effectiveness of security\ncontrols for an appropriate subset of the Commission\xe2\x80\x99s systems. The evaluation\nobjective also included a review of the Commission\xe2\x80\x99s security policies, security\narchitecture, business continuity, security capital planning, critical infrastructure, and\nsecurity program planning and management\n\nTo perform this independent evaluation, we followed the guidance as described in OMB\nMemorandum M-01-08, entitled \xe2\x80\x9cGuidance on Implementing the Government\nInformation Security Reform Act\xe2\x80\x9d and dated January 16, 2001. Also relevant to this\nevaluation was guidance from OMB Memorandum M-01-24, entitled \xe2\x80\x9cReporting on the\nGovernment Information Security Reform Act,\xe2\x80\x9d and dated June 22, 2001. OMB M-01-\n24 provided the topics/questions that were required to be addressed in the IG\xe2\x80\x99s\nindependent evaluation of the FCC\xe2\x80\x99s information security program and practices.\n\nThe evaluation approach consisted of reviewing documentation that included previous\nspecial reviews and audits, by conducting interviews, attending meetings, and by\nobservations.\n\nOur procedures were designed to comply with applicable auditing standards and\nguidelines. These included AICPA Professional Standards, Generally Accepted\nGovernment Auditing Standards (GAGAS) as well as GAO\xe2\x80\x99s Federal Information\nSystems Control Audit Methodology (FISCAM); however, this review was intended to\nbe a risk assessment and not a general controls review; FISCAM was used as appropriate\nto assess management, operational and technical controls.\n\nThe scope of the evaluation included the security infrastructure managed by the Office of\nManaging Director\xe2\x80\x99s Information Technology Center (ITC) and the Auctions Automation\n\x0c                                                                              Page 2 of 24\n\n\nBranch of the Wireless Telecommunications Bureau (WTB). In addition, the scope\nincluded selecting an appropriate subset of the Commission\xe2\x80\x99s business applications. As\npart of our evaluation of the FCC\xe2\x80\x99s Computer Security Program, we selected the\nConsolidated Database System (CDBS) application for review. CDBS is a major\napplication operated by the Commission\xe2\x80\x99s Mass Media Bureau.\n\nThe evaluation methodology used was the NIST Self-Assessment Guide questionnaire\n(National Institute of Standards and Technology Systems (NIST) Self-Assessment Guide\nfor Information Technology Systems). The final NIST Self-Assessment Guide was not\navailable, therefore, the draft Self-Assessment Guide was used.\n\nThe Office of Management and Budget, Memorandum 01-24 (OMB M-01-24) provides\nthe topics/questions for response by the Chief Information Officers (CIO) and Inspector\nGenerals (OIG) of federal agencies. OMB-01-24 provides 14 questions that require\nresponse. OMB requests that OIG\xe2\x80\x99s respond to questions 2-13. All responses were based\non the results of the OIG\xe2\x80\x99s independent evaluation.\n\nThe Commission\xe2\x80\x99s Office of Inspector General contracted for the professional services\nfirm of KPMG, LLP to prepare the independent evaluation and respond to questions 2-13\nas requested by OMB. KPMG\xe2\x80\x99s approach to responding to questions 2-13 was to\nperform an independent evaluation as required by the Government Information Security\nReform Act. The evaluation methodology used was the National Institute of Standards\nand Technology (NIST) Self-Assessment Guide for Information Technology Systems\nquestionnaire While performing the independent evaluation, numerous interviews were\nconducted and a number of documents provided by FCC were reviewed.\n\nAs a result of the independent evaluation, we have concluded that the Commission has a\ngenerally effective information security program with acceptable practices for managing\nand safeguarding the FCC\xe2\x80\x99s information technology assets. During the evaluation, we\nidentified in-place controls in essential areas such as a current computer security program\npolicy. An update to the current policy is already in circulation for approval and it is\nplanned that this policy will replace the current policy by November 2001. The revised\ncomputer security program policy, which is in draft, is indicative of how proactive the\nFCC is with keeping pace with technological challenges, changes, demands, and\ninnovations.\n\nAlthough the FCC has several controls in place, areas for improvement in the\nmanagement, operational and technical control areas exist. To strengthen the agency\xe2\x80\x99s\nsecurity program and practices, a strategy and plan of action as prescribed by OMB M-\n01-24, Reporting Instructions for the Government Information Security Reform Act,\ntopic/question #14, should be developed with milestones that include completion dates,\nhow the agency plans to address control areas that need to be strengthened as identified\nthrough the independent evaluation, and should identify a strategy to overcome any\nobstacles that would affect addressing known weaknesses.\n\x0c                                                                                 Page 3 of 24\n\n\nOIG Responses to OMB M-01-24 Security Act Reporting Topics/Questions\n\nQuestion #1 - In this section, the agency shall provide the following information:\n\nIdentify the agency\xe2\x80\x99s total security funding as found in the agency\xe2\x80\x99s FY01 budget\nrequest, FY01 budget enacted, and the FY02 budget request. This should include a\nbreakdown of security costs by each major operating division or bureau and include\ncritical infrastructure protection costs that apply to the protection of government\noperations and assets. Do not include funding for critical infrastructure protection\npertaining to lead agency responsibilities such as outreach to industry and the public.\n\nOIG response to Question #1 - This question is not applicable to the OIG per OMB\nreporting instructions.\n\nQuestion #2 - Identify the total number of programs included in the program review or\nindependent evaluations.\n\nOIG response to Question #2 - In accordance with the guidelines contained in the OMB\nguidance, we selected an application from among the Commission\xe2\x80\x99s major applications\nfor detailed review. Based on revenue generation, the Wireless Telecommunications\nBureau (WTB) and the Mass Media Bureau head the list. Due to initiatives currently\nunderway for WTB, we did not focus on WTB\xe2\x80\x99s major applications and general support\nsystem in the program review.\n\nFor the Fiscal Year 2001 review, the Mass Media Bureau (MMB) was selected. The\nMMB is second in revenue generation to WTB. MMB ensures that consumers have\naccess to interference-free radio and television services that are in the public interests.\nTo achieve this, MMB issues licenses for radio and television stations and establishes\nregulations to make certain that these stations serve their local communities through\nprogramming and advertising.\n\nAs part of our evaluation of the FCC\xe2\x80\x99s Computer Security Program, we selected the\nConsolidated Database System (CDBS) application for review. CDBS is a major\napplication operated by the Commission\xe2\x80\x99s Mass Media Bureau. CDBS is the Mass\nMedia Bureau\xe2\x80\x99s Internet based system that permits electronic filing of broadcast radio\nand television application forms with the FCC. The CDBS provides a Public Access\nSystem and an Electronic Filing System for internal use and external use.\n\nCDBS is ranked high in the amount of revenue generated by the system as well as high in\nthe OMB A-130 criteria of availability, integrity, and confidentiality. When appropriate,\nthe FCC\xe2\x80\x99s general support system, FCC Net, is included in the program review as we\nmoved through the assessment of control areas.\n\nQuestion #3 - Describe the methodology used in the program reviews and the\nmethodology used in the independent evaluations.\n\x0c                                                                                Page 4 of 24\n\n\nOIG response to Question #3 - The independent evaluation was performed using the\ndraft version of the NIST Self-Assessment Guide. The independent evaluation consisted\nof reviewing Management Controls, Operational Controls and Technical Controls with\nthe NIST Self-Assessment Guide framework. Within each control area, specific control\nobjectives were addressed. A description of the NIST Self-Assessment Guide control\nareas is as follows:\n\nManagement Controls - Management controls focus on the management of the IT\nsecurity system and the management of risk for a system. They are techniques and\nconcerns that are normally addressed by management. The specific management control\nobjectives addressed are:\n\n   \xe2\x80\xa2   Risk Management\n   \xe2\x80\xa2   Review of Security Controls\n   \xe2\x80\xa2   Life Cycle\n   \xe2\x80\xa2   Authorize Processing (Certification & Accreditation)\n   \xe2\x80\xa2   System Security Plan\n\nOperational Controls - The operational controls address security methods focusing on\nmechanisms primarily implemented and executed by people (as opposed to systems).\nThese controls are put in place to improve the security of a particular system (or group of\nsystems). They often require technical or specialized expertise and often rely upon\nmanagement activities as well as technical controls. The specific operational control\nobjectives addressed are:\n\n   \xe2\x80\xa2   Personnel Security\n   \xe2\x80\xa2   Physical and Environmental Protection\n   \xe2\x80\xa2   Production, Input/Output Controls\n   \xe2\x80\xa2   Contingency Planning\n   \xe2\x80\xa2   Hardware and System Software Maintenance\n   \xe2\x80\xa2   Data Integrity\n   \xe2\x80\xa2   Documentation\n   \xe2\x80\xa2   Security Awareness, Training and Education\n   \xe2\x80\xa2   Incident Response Capability\n\nTechnical Controls - Technical controls focus on security controls that the computer\nsystem executes. The controls can provide automated protection for unauthorized access\nor misuse, facilitate detection of security violations, and support security requirements for\napplications and data. The specific technical control objectives addressed are:\n\n   \xe2\x80\xa2   Identification and Authentication\n   \xe2\x80\xa2   Audit Trails\n   \xe2\x80\xa2   Logical Access Controls\n\x0c                                                                               Page 5 of 24\n\n\nQuestion #4 - Report any material weakness in policies, procedures, or practices as\nidentified and required to be reported under existing law.\n\nOIG response to Question #4 - The Commission\xe2\x80\x99s Fiscal Year 2000 Financial\nStatement audit, June 27, 2001, reported material weaknesses regarding information\nsecurity policies, procedures or practices. The following deficiencies in security controls\nwere reported:\n\n   \xe2\x80\xa2   FCC is not in compliance with OMB Circular No. A-130 Requirement for a\n       Comprehensive Security Plan (modified repeat condition from FY 1999\xe2\x80\x99s\n       financial statement audit).\n\n   \xe2\x80\xa2   FCC lacks a comprehensive and integrated security management structure. In\n       such an environment, responsibilities could be unclear leading to the possibility of\n       applying security controls inconsistently throughout the agency. As a result,\n       certain vulnerabilities may be overlooked. In addition, monitoring the\n       effectiveness of procedures for security controls throughout the agency will be\n       ineffective.\n\n   \xe2\x80\xa2   FCC has not performed risk assessments for its major application systems and its\n       mission-critical general support system. FCC did perform vulnerability\n       assessments for several of its major applications and general support systems in\n       fiscal year 2000, but has not completed risk assessments as prescribed by OMB\n       Circular No. A-123, Management Accountability and Control.\n\n   \xe2\x80\xa2   There is no periodic review of security controls over FCC\xe2\x80\x99s systems. In addition,\n       FCC has not performed any formal certification and accreditation of its systems.\n       FCC plans to conduct initial security reviews over a two-year period ending in\n       fiscal year 2002. FCC plans to make these reviews part of its internal control\n       review process.\n\nDuring the fiscal year 2001 independent evaluation for GISRA, an organizational pattern\nwas observed with regards to management operating from draft policy guidelines. The\npolicies that are in draft are significant in the area of information security:\n\n   \xe2\x80\xa2   FCC Personnel Security/Suitability Manual (draft policy)\n   \xe2\x80\xa2   Management of Non-Public Information, Form 1139 (draft policy)\n   \xe2\x80\xa2   Physical Security (policy not available)\n   \xe2\x80\xa2   Information Security Manual, Form 1131 (expired policy)\n   \xe2\x80\xa2   IT Strategic Plan (draft)\n\nQuestion #5 - Describe the specific measures of performance used by the agency to\nensure that agency program officials have:\n\n1. assessed the risk to operations and assets under their control;\n2. determined the level of security appropriate to protect such operations and assets\n\x0c                                                                               Page 6 of 24\n\n\n3. maintained an up-to-date security plan (that is practiced throughout the life cycle) for\n   each system supporting the operations and assets under their control; and\n4. tested and evaluated security controls and techniques.\n\nNOTE: Include information on the actual performance for each of the four categories.\n\nOIG response to Question #5 - The Commission\xe2\x80\x99s \xe2\x80\x9cStrategic Plan: A New FCC for the\n21St Century\xe2\x80\x9d, August 1999, provides specific implementation plans for years 2000 \xe2\x80\x93\n2004. Section III, identifies specific policy initiatives and performance measures as a\nroadmap for the Commission to follow over the next five years and to measure progress\ntoward the Commission\xe2\x80\x99s objectives. In 1999, the specific performance measures used\nby FCC to ensure that the Commission\xe2\x80\x99s strategic plan was carried out, consisted of\nidentifying the performance measure, then measuring progress against two-year goals,\nfive-year goals, or timeframes such as by year 2003.\n\nThe critical tasks that must be achieved in order to make progress include the following\ninitiatives:\n\nCreate a Model Agency for the Digital Age\n\n   1)   Lead the Way in the Information Age\n   2)   Reorganize to Create an Agency Infrastructure Conducive to Convergence\n   3)   Create a Faster, Flatter, More Functional Agency\n   4)   Preserve and Increase the Wealth of Knowledge and Expertise of FCC Staff\n\nPromote Competition in All Communication Markets\n\n   1)   Eliminate Barriers to Entry in Domestic Markets\n   2)   Deregulate As Competition Develops\n   3)   Enforce the Rules so that Businesses Compete Fairly\n   4)   Promote Competition in International Communications Markets\n\nPromote Opportunities for All Americans to Benefit from the Communications\nRevolution\n\n   1) Ensure Access For All Americans To Existing And Future Communications\n      Services\n   2) Promote Opportunities to Expand Direct Participation In Existing And Future\n      Communications Businesses\n   3) Foster a More Consumer Friendly Marketplace\n\nManage The Electromagnetic Spectrum (the Nation\xe2\x80\x99s Airwaves) In The Public\nInterest\n\n   1) Create More Efficient Spectrum Markets\n   2) Increase the Amount of Spectrum Available, Particularly for New Services\n\x0c                                                                             Page 7 of 24\n\n\n\n(1) Risk Assessments (assess the risk to operations and assets under their control)\n\nIn evaluating FCC\xe2\x80\x99s assets, the Commission determines which of their business\napplications are considered major in accordance with guidance from OMB A-130,\nAppendix III. The FCC\xe2\x80\x99s Information Technology Center (ITC) uses evaluation\nworksheets as a tool to determine FCC\xe2\x80\x99s major applications. In the assessment, the ITC\ngroup uses the following categories to determine whether the applications should be\ncategorized as major:\n\n\xe2\x80\xa2   Importance (revenue)\n      Dollar amounts generated by the system, by the collection of regulatory and\n      application fees, which is returned to the Federal government.\n      (Low = $0-$500K; Moderate +>$500K - <$1M; High =>$1M)\n\n\xe2\x80\xa2   System Investment\n       The dollar amount spent to date to develop and maintain the system, and any\n       associated databases.\n       (Low = $30 - $750K; Moderate = >$750K - <$2M; High = >$2M)\n\n\xe2\x80\xa2   Administrative Significance\n      The impact of not having the system, or its associated data, available for use by\n      the Bureau/Office or the FCC. Important Note: Administrative Significance is a\n      subjective ranking versus categories that are based on fixed costs.\n\n\xe2\x80\xa2   Risk/Harm\n       The amount of risk/harm that could be caused if the system, or its associated data,\n       were compromised (i.e., the potential damage that might be caused by a person\n       who gained unauthorized access to the data processed by a specific system. Risk/\n       Harm is a subjective ranking versus categories that are based on fixed costs.\n\nAny application rated \xe2\x80\x9cHIGH\xe2\x80\x9d in any of the four categories noted above is considered a\nmajor application within the FCC infrastructure. However, the specific performance\nmeasures for assessing the risk to assets under the Commission\xe2\x80\x99s control needs to be\nidentified and included in the agency\xe2\x80\x99s ITC Strategic Plan or the ITC Computer Security\nStrategic Plan.\n\nIn determining the risk to operations, the Commission currently has a statement of work\nin process to plan the development of a Continuity of Operations Plan (COOP). In\naddition, the majority of the Commission\xe2\x80\x99s business continuity plans represent Y2K as\nthe triggered event and does not reflect the current operating environment. The specific\nmeasures of performance for COOP and BCP (Business Continuity Plan) programs need\nto be identified by the appropriate program officials.\n\x0c                                                                              Page 8 of 24\n\n\nThe Commission has a draft IT Strategic Plan, however, to line up with the agency\xe2\x80\x99s\noverall strategic plan, performance measures need to be identified and included in the\nplan.\n\nThe actual performance of managing the risks associated with the operations and assets\nunder the Commission\xe2\x80\x99s control could be enhanced by providing documented\nmanagement approval of final risk determinations of systems under the system owner\xe2\x80\x99s\ncontrol.\n\n(2) Appropriate level of security to protect such operations and assets\n\nThe Commission has performed security assessments on several of its major applications.\nPotential risks, safeguards and countermeasures are identified in the security assessment.\nThe specific measures of performance for measuring the level of security to protect the\nCommission\xe2\x80\x99s IT assets need to be identified and included in the draft ITC Strategic Plan\nor the ITC Computer Security Strategic Plan.\n\nThe level of security appropriate to protect operations consist of physical security\napparatus such as turnstiles for electronic badging of people entering and exiting the FCC\nheadquarters facility located at 445 12th Street, SW, Washington, DC. Also in place is\naccess control to sensitive areas such as the Commission\xe2\x80\x99s data centers, wire closets, fire\nsuppression closets, and the telecommunication room which houses the Commission\xe2\x80\x99s\ntelephone system.\n\nThe specific measures of performance for measuring the level of security to protect the\nCommission\xe2\x80\x99s operational assets need to be identified and included in the draft IT\nStrategic plan.\n\nThe actual performance of determining the level of security appropriate to protect the\noperations and assets under the Commission\xe2\x80\x99s control could be enhanced by:\n\n   \xe2\x80\xa2   Providing a more timely correction of deficiencies identified in the security\n       assessments of the Commission\xe2\x80\x99s major applications.\n\n   \xe2\x80\xa2   Developing a formally documented policy for Physical Security.\n\n(3) Up-to-date security plan (that is practiced throughout the life cycle)\n\nThe Commission\xe2\x80\x99s business applications were developed before a formal system\ndevelopment life cycle (SDLC) for the agency was implemented. As a result, security\nplans are being developed in the maintenance phase of the Commission\xe2\x80\x99s SDLC.\n\nThe Commission is also in the beginning stages of developing security plans for its major\napplications and general support systems. A timeline for creating security plans has\nbeen developed and is being monitored by the ITC group. The Commission has up-to-\ndate security plans developed for the following:\n\x0c                                                                               Page 9 of 24\n\n\n\nGeneral Support Systems\n\n\xe2\x80\xa2   FCC Net\n\xe2\x80\xa2   Auctions Net\n\nMajor Applications:\n\n\xe2\x80\xa2   Consolidated Database System\n\xe2\x80\xa2   Universal Licensing System\n\xe2\x80\xa2   Automated Auctions System\n\xe2\x80\xa2   Experimental Licensing System\n\xe2\x80\xa2   Equipment Authorization System\n\nThe specific measures of performance for maintaining up-to-date security plans for each\nsystem supporting the operations and assets under the Commission\xe2\x80\x99s control needs to be\nidentified and included in the draft ITC Strategic plan.\n\nThe actual performance of maintaining an up-to-date security plan (that is practiced\nthrough the life cycle) could be enhanced by:\n\n    \xe2\x80\xa2   Including as part of the SDLC process, FCC\xe2\x80\x99s prescribed method for determining\n        the sensitivity of its applications.\n\n    \xe2\x80\xa2   Developing a security plan for each of the Commission\xe2\x80\x99s major applications.\n\n    \xe2\x80\xa2   Developing rules of behavior that are specific to the major application.\n\nProviding a summary of all security plans in the IT Strategic Plan or the ITC Computer\nSecurity Strategic Plan.\n\n(4) Tested and evaluated security controls and techniques\n\nIn Fiscal Year 2000 and 2001, the Commission performed Certification and Accreditation\non several of its major applications. In this process, security assessments were conducted\nwhich tested and evaluated the security controls and techniques of several major\napplications.\n\nThe specific measures of performance for testing and evaluating security controls and\ntechniques for each major application supporting the operations and assets under the\nCommission\xe2\x80\x99s control needs to be identified and included in the draft ITC Strategic plan\nor the ITC Computer Security Strategic Plan.\n\x0c                                                                              Page 10 of 24\n\n\nThe actual performance of testing and evaluating security controls and techniques could\nbe enhanced by providing a more timely correction of deficiencies identified in the\nsecurity assessments of the Commission\xe2\x80\x99s major applications.\n\nQuestion #6 - Describe the specific measures of performance used by the agency to\nensure that the agency CIO:\n\n1. adequately maintains an agency-wide security program;\n2. ensures the effective implementation of the program and evaluates the performance of\n   major agency components; and\n3. ensures the training of agency employees with significant security responsibilities.\n\nInclude information on the actual performance for each of the three categories.\n\nOIG response to Question #6\n\n(1) Adequately maintaining an agency-wide security program\n\nThe FCC has designated a senior agency information security official who is referred to\nas the CSO (Computer Security Officer) and who reports to the Deputy Chief\nInformation Officer (CIO). The agency-wide security program is developed and\nmaintained in accordance with subsection (b) of the Security Act as follows:\n\n   \xe2\x80\xa2   The FCC has developed a system development life cycle that incorporates\n       information security principles and practices, but it is formally being carried out\n       from the maintenance phase onward in the life cycle.\n\n   \xe2\x80\xa2   The FCC has developed security plans that is formally being practiced from the\n       maintenance phase onward in the life cycle.\n\n   \xe2\x80\xa2   The CSO is involved in overseeing the development and implementation of\n       standards and guidelines relating to security controls for FCC\xe2\x80\x99s applications and\n       systems, however, performance measures need to be prescribed to determine how\n       well the IT support for the FCC\xe2\x80\x99s programs are being met.\n\nThe specific measures of performance used by the agency to ensure that the agency CIO\nadequately maintain an agency-wide security program needs to be established and\nincluded in the draft IT Strategic Plan and the ITC\xe2\x80\x99s draft Computer Security Strategic\nPlan.\n\n(2) Ensuring the effective implementation of the program and evaluating the\n    performance of major agency components\n\nThe FCC has developed security policies, procedures, and control techniques that are\nimplemented and that are being maintained by the CSO with support from other elements\n\x0c                                                                               Page 11 of 24\n\n\nof the Information Technology Center. An enhancement to make the program more\neffective would be to:\n\n   \xe2\x80\xa2   Improve information sharing techniques with the agency\xe2\x80\x99s Bureaus and Offices.\n\n   \xe2\x80\xa2   Better integrate communication, roles and responsibilities pertaining to\n       implementing a more effective information security program with Bureaus and\n       Offices relevant to the agency-wide security program.\n\n   \xe2\x80\xa2   Develop a method to evaluate the performance of the FCC\xe2\x80\x99s major components.\n\nThe specific measures of performance used by the agency to ensure that the agency CIO\nensures the effective implementation of the program and evaluates the performance of\nmajor agency components needs to be established and included in the draft IT Strategic\nPlan.\n\n(3) Ensuring the training of agency employees with significant security\n    responsibilities.\n\nThe Commission provides Security Awareness training for all of its employees,\ncontractors, interns and co-ops. To ensure the training of agency employees with\nsignificant security responsibilities, the ITC has identified positions designated as high\nrisk and complies with guidance from the Office of Personnel Management regarding\npersonnel suitability.\n\nThe Commission\xe2\x80\x99s training program does not require Offices and Bureaus to track and\nmonitor the training issued to employees. Any tracking and monitoring that is being\ndone is based on the initiative of the Offices and Bureaus. And as a result, the training of\nagency employees with significant security responsibility is not currently a reporting\nrequirement for the agency\xe2\x80\x99s CIO.\n\nThe specific measures of performance used by the agency to ensure that the agency CIO\nensures the training of agency employees with significant security responsibilities needs\nto be established and included in the draft IT Strategic Plan and the ITC draft Strategic\nPlan.\n\nQuestion #7 - Describe how the agency ensures that employees are sufficiently trained in\ntheir security responsibilities. Identify the total number of agency employees and briefly\ndescribe what types of security training was available during the reporting period, the\nnumber of agency employees that received each type of training, and the total costs of\nproviding such training.\n\nOIG response to Question #7\n\n   \xe2\x80\xa2   Total number of agency employees - The Fiscal Year 2000/2001 FTE\xe2\x80\x99s totaled\n       1,975 as presented in the President\xe2\x80\x99s Budget for the FCC.\n\x0c                                                                                 Page 12 of 24\n\n\n\n    \xe2\x80\xa2   Type(s) of security training available during the reporting period - The\n        reporting period consists of the Fiscal Year 2001. Security Awareness training\n        briefings are provided around the middle of each month.\n\n    \xe2\x80\xa2   Number of agency employees that received each type of training - During\n        Fiscal Year 2001, approximately 700 FCC staff attended Security Awareness\n        training.\n\n    \xe2\x80\xa2   Total costs of providing such training - Total costs of providing Security\n        Awareness Orientation training was not available from the FCC\xe2\x80\x99s Training\n        Program Director.\n\nFor additional types of security training provided to FCC staff, refer to the CIO\xe2\x80\x99s annual\nprogram evaluation for the Security Act.\n\nQuestion #8 - Describe the agency\xe2\x80\x99s documented procedures for reporting security\nincidents and sharing information regarding common vulnerabilities. Include a\ndescription of procedures for external reporting to law enforcement authorities and to the\nGeneral Services Administration\xe2\x80\x99s FedCIRC. Include information on the actual\nperformance and the number of incidents reported.\n\nOIG response to Question #8 - According to the FCC Computer Network (general\nsupport system) security plan, the FCC\xe2\x80\x99s Computer Incident Response Team (CIRT) has\nbeen charged to act as the Commission\xe2\x80\x99s focal point for mitigating the impact of\ncomputer related incidents. The team is managed by the FCC Computer Security Officer\nand is comprised of technical experts in the fields of PC\xe2\x80\x99s, computer networks,\ntelecommunications, application(s) management, virus management, and security. The\nteam acts to prevent or minimize the impact of a threat against computer operations at the\nFCC.\n\nPlanned controls consist of updating written policies and procedures for the incident\nresponse capability. The plan is to have a documented program for recognizing and\nhandling incidents (e.g., viruses, intrusions, denial of service, etc.) by the third quarter of\nFiscal Year 2001.\n\nIn addition, according to the FCC Auctions Network LAN (general support system)\nsecurity plan, system anomalies or other potential security incidents are first reported to\nthe Auctions\xe2\x80\x99 Technical Director. Incidents are then investigated and validated by FCC\nstaff and contractors; the cause and nature of the event or incident is resolved before\nescalation. At the completion of the investigation, or during the course of the\ninvestigation if immediate resolution is not possible, the Technical Director follows\nappropriate FCC guidelines and reports the incident to designated FCC personnel. All\nsecurity incidents are reported to the CSO within a reasonable time period.\n\x0c                                                                             Page 13 of 24\n\n\nPlanned controls consist of having the tool, HP VPO (Hewlett Packard Vantage Point\nOperations) automatically page, e-mail, and/or display alerts on a message board\nnotifying the responsible staff member of suspicious activity.\n\nThe documented procedures for reporting security incidents, in addition to the security\nplans for the general support systems, consist of the following:\n\n    \xe2\x80\xa2   The ITC group has produced draft Incident Response Guidelines that contain\n        procedures to monitor an incident and to ensure that is it resolved.\n\n    \xe2\x80\xa2   The Auctions group has produced draft Incident Handling Procedures that provide\n        steps to handle virus incidents and hacker/cracker attacks.\n\nThe current incident handling environment within FCC does not facilitate the sharing of\ninformation regarding common vulnerabilities. However, one of the planned controls is\nto have a documented program for recognizing and handling incidents (e.g., viruses,\nintrusions, denial of service, etc.) by the third quarter of Fiscal Year 2001. Another\nplanned control is to have automatic paging, e-mailing, and/or displaying of alerts on a\nmessage board to notify the responsible staff member(s) of suspicious activity.\n\n\xe2\x80\xa2   Description of procedures for external reporting to law enforcement authorities and to\n    the General Services Administration\xe2\x80\x99s FedCIRC.\n\nThe current procedures for external reporting to law enforcement authorities and to the\nGeneral Services Administration\xe2\x80\x99s FedCIRC consist of the following:\n\n        The FCC\xe2\x80\x99s Computer Incident Response Guidelines (draft, June 8, 2001), section\n        6.6.2, states that if the incident involves criminal activity or possible criminal\n        activity notify the OIG, the FBI and NIPC.\n\n\xe2\x80\xa2   Include information on the actual performance and the number of incidents reported.\n\n    The ITC identified and managed four incidents during FY\xe2\x80\x9901, which included:\n\n        \xe2\x80\xa2   the Chinese attack on U.S. government and military sites;\n        \xe2\x80\xa2   one internal user who misused FCC resources for self gain; and\n        \xe2\x80\xa2   Code Red and Code Red II.\n\nQuestion #9 - Describe how the agency integrates security into its capital planning and\ninvestment control process. Were security requirements and costs reported on every\nFY02 capital asset plan (as well as exhibit 53) submitted by the agency to OMB? If no,\nwhy not?\n\x0c                                                                           Page 14 of 24\n\n\nOIG response to Question #9 - The FCC integrates security into its capital planning and\ninvestment control process by incorporating funds for security into the information\ntechnology expenditures.\n\nIn the Fiscal Year 2002 Budget Estimates submitted to Congress in April 2001, the FCC\nrequested $10.997 million in required, additional, funding for life cycle replacement of\nthe Commission\xe2\x80\x99s information technology infrastructure hardware and software, for\nmandatory enhancements to twelve mission critical electronic filing systems and funding\nto implement mandatory requirements for the Commission\xe2\x80\x99s disability accessibility,\ninformation security, and asset management programs. The funding will be distributed\namong all five FCC activities: licensing, competition, enforcement, consumer\ninformation and spectrum management. The additional funding would be expended in\nthe following areas:\n\nApplication System Maintenance and Development - The FCC requested $3.03\nmillion for critical refreshments to twelve (12) mission critical systems. Mandatory\nadjustments are needed to the Commission\xe2\x80\x99s International, Cable Services, Mass Media\nand Consumer Information systems, as well as to the FCC\xe2\x80\x99s Office of Engineering and\nTechnology\xe2\x80\x99s electronic filing systems. These applications were implemented several\nyears ago and require web/sql replacements or upgrades to include more robust JAVA\nmodules.\n\nAn additional $270K is required to implement an improved property management\ninventory system. The FCC\xe2\x80\x99s first financial audit revealed deficiencies in the FCC\xe2\x80\x99s\ninformation technology hardware/software inventory process. The additional funding\nwill be used to design and implement a system to improve the FCC\xe2\x80\x99s data collection\nprocesses.\n\nInternet, Telecommunications, Security, and Network Support - The FCC requested\napproximately $3.67 million for upgrades to the FCC\xe2\x80\x99s network infrastructure hardware\nand software which supports among other things, the FCC\xe2\x80\x99s telecommuting program.\nThe FCC must replace many of the aging network servers, routers, switches, and local\nprinters as well as upgrade the network operating system and firewalls. Of the amount\nrequested, $331K is needed to ensure that all FCC applications fully meet federal\ngovernment security requirements as called for in OMB Circular A-130.\n\nDesktop Computer Support - The FCC requested $2.7 million for life cycle\nreplacement of the FCC\xe2\x80\x99s office automation software and hardware including\nreplacement of 900 personal computer and 200 laptops. In Fiscal Year 2002, the FCC\nplans to migrate to the Microsoft Office suite and Windows 2000 as the Commission\xe2\x80\x99s\ndesktop operating software.\n\nA breakout of FCC\xe2\x80\x99s information technology expenditures, including funding available in\nthe base is shown in the following chart.\n\x0c                                                                                      Page 15 of 24\n\n\n\nFCC IT Budget Expenditures by Fiscal Year\n\n                                                                                             FY 2002\n                                                                                             Increase\nInformation Technology Budget Initiatives      FY 1999    FY 2000    FY 2001     FY 2002\n                                                                                              Above\n             ($ in millions)                   (actual)   (actual)   (revised)   (request)\n                                                                                             FY 2001\n                                                                                              Level\n(1) Application System Maintenance and           $3.1       $6.3       $6.5       $10.8       $4.300\nDevelopment\n(2) Internet and Network Support                 $3.0       $3.8       $3.5        $7.5      $4.00\n(3) Telecommunications                           $3.5       $3.3       $3.6        $3.6         -\n(4) Desktop Computer Support                     $1.8       $2.5       $2.5        $5.2      $2.697\n(5) Y2K Supplemental Funding                     $4.2       $2.4        -           -           -\n                                   TOTAL\n                                                           $18.3      $16.1       $27.1      $10.997\n              IT Expenditures by Fiscal Year\n\nA description of what information technologies are included in each category from the\nchart on FCC IT Budget Expenditures is provided below.\n\n(1) Application System Maintenance and Development -This expenditure would cover\n30 data base systems of which 18 incorporate electronic filing or offer public access to\ndata. The databases supported include licensing, enforcement, rulemaking and internal\nadministration. It would also provide for routine upgrades, bug fixes and day-to-day\nsystem maintenance functions.\n\n(2) Internet and Network Support - This expenditure would support electronic filing of\nlicense applications and other data. It would provide for an array of public information\non Commission actions, proceedings and related telecommunications matters. It would\nalso include maintenance of local area network, Internet and Intranet facilities, remote\naccess system, and computer/network security.\n\n(3) Telecommunications - This expenditure would provide for ISDN desktop telephone\nwith voice mail and FTS 2001 services, automated call distribution and other specialized\nsystems for the help desk and the Gettysburg call center. It would also provide for\ntelephone and cellular phone services, voice mail, video and audio conferences,\nautomated call distribution and other specialized systems, data circuits, consulting and\nPBX support.\n\n(4) Desktop Computer Support - This expenditure would provide for desktop\ncomputers, peripherals and comprehensive software suite. It would include access to the\nInternet and agency and commercial databases. Additionally, it would provide for a\nComputer Resources Center helpdesk and training facility. It would provide file, print\nand email services supported by the local and wide area networks. It would also provide\nsupport for remote access system connectivity for telecommuters and travelers.\n\x0c                                                                                 Page 16 of 24\n\n\n(5) Y2K Expenditures - This category represents the expenditures in 1999 and 2000 to\nprovide for the Year 2000 Bug remediation project. The expenditures for this category\nwere completed by March 31, 2000.\n\nQuestion #10 - Describe the specific methodology (e.g., Project Matrix review) used by\nthe agency to identify, prioritize, and protect critical assets within its enterprise\narchitecture, including links with key external systems. Describe how the methodology\nhas been implemented.\n\nOIG IG response to Question #10 - The specific methodology being used by the agency\nto:\n\nIdentify critical assets:\n\n\xe2\x80\xa2   The FCC used guidance from OMB Circular A-130, Appendix, III to identify its\n    major applications and general support systems. In addition, the FCC used guidance\n    from NIST SP 800-18, to determine confidentiality, integrity, and availability\n    considerations to identify its critical assets. The assets were ranked High, Medium, or\n    Low.\n\n        To ensure that each FCC application experienced a consistent evaluation, the ITC\n        group used a \xe2\x80\x9cyard stick\xe2\x80\x9d approach to evaluate each of the automated systems\n        managed within the FCC network. The ITC group developed a methodology that\n        allowed the group to provide a consistent criteria against which each of the\n        automated applications, and its associated data, resident on the FCC network were\n        evaluated. Any application rated \xe2\x80\x9cHigh\xe2\x80\x9d in any of the four categories in the table\n        below were considered to be major within the FCC infrastructure.\n\n                                        ITC \xe2\x80\x9cYard Stick\xe2\x80\x9d\nImportance                  Dollar amounts generated by the system, by the collection of\n(Revenue)                   regulatory and application fees, which is returned to the Federal\n                            government.\n                            Low = $0 - $500K\n                            Moderate =>$500K - < $1M\n                            High = >$1M\nSystem Investment           The dollar amount spent to date to develop and maintain the\n                            system, and any associated databases.\n                            Low = $0 - $750K\n                            Moderate =>$750 K - <$2M\n                            High = >$2M\nAdministrative              The impact of not having the system or its associated data\nSignificance                available for use by the Bureau/Office or the FCC\n                            Important Note: Administrative Significance is a subjective\n                            ranking versus categories that are based on fixed costs.\n\x0c                                                                               Page 17 of 24\n\n\nRisk/Harm                  The amount of risk/harm that could be caused if the system, or its\n                           associated data were compromised (i.e., the potential damage that\n                           might be caused by a person who gained unauthorized access to\n                           the data processed by a specific system.)\n                           Important Note: Risk/Harm is a subjective ranking versus\n                           categories that are based on fixed costs.\n\nPrioritize critical assets:\n\n\xe2\x80\xa2   The FCC used the \xe2\x80\x9cyard stick\xe2\x80\x9d methodology that was developed by the ITC group to\n    identify prioritization. The amount of revenue generated by the system determined its\n    level of importance. However, this importance rating is not the criteria used in\n    operations while servicing and maintaining the system in the client/server\n    environment. Service level prioritization still needs to be determined.\n\n[NOTE: The importance rating is based on revenue generated by the system; investment\namount is based on cost of developing the system; administrative significance is based on\nthe reliability level of the system; and risk/harm of the system is based on whether the\nsystem supports sensitive data and whether the data is proprietary.]\n\nProtect critical assets:\n\n\xe2\x80\xa2   The FCC\xe2\x80\x99s ITC group has begun development of security plans in accordance with\n    NIST Special Publication 800-18 to protect critical assets. The ITC group also\n    coordinates security assessments to identify potential risks to the FCC applications.\n    Business continuity plans have also been developed, however, to better protect\n    critical assets, the plans should be updated.\n\nLinks with key external systems:\n\n\xe2\x80\xa2   FCC\xe2\x80\x99s key external systems are identified through Memorandum of Agreement,\n    Memorandum of Understanding, or Interagency Agreements. These agreements\n    outline cross-servicing to be provided by the FCC and the corresponding\n    responsibilities of the external organization.\n\nSystem Interconnection and Information Sharing is defined in the template for FCC\xe2\x80\x99s\nsecurity plans for general support systems and major applications in accordance with\nguidelines from OMB A-130, Appendix III. Section l.9 of FCC\xe2\x80\x99s security plans provides\ndescriptions for any system interconnection or direct connections to the application as\nwell as links with key external systems. Information in this section includes the\nfollowing:\n\n        o List of interconnected systems or major applications and their system\n          identifiers.\n        o Description of interconnections with external systems not covered by a\n          security plan and any security concerns.\n\x0c                                                                              Page 18 of 24\n\n\n       o Description of any required written authorizations (e.g., MOUs or MOAs) that\n         are in place for connection with other systems and/or sharing of sensitive\n         information.\n       o Detail of the rules of behavior that have been established with the\n         interconnected site.\n\nQuestion # 11 - Describe the measures of performance used by the head of the agency to\nensure that the agency\xe2\x80\x99s information security plan is practiced throughout the life cycle of\neach agency system. Include information on the actual performance.\n\nOIG response to Question #11 - The measures of performance used by the head of the\nagency to ensure that the Commission\xe2\x80\x99s information security plans are practiced through\nthe life cycle of each of FCC\xe2\x80\x99s systems consist of carrying out the goals of the\nInformation Technology Strategic Plan (ITSP) as well as correcting deficiencies found in\nprior years. Satisfying the functional, technical and business needs of the bureaus and\noffices is the primary focus of the (draft) ITSP. The planning process addresses these\nneeds by involving internal stakeholders in individual and small group interviews and\ngroup workshops where problems were defined and strategic vision and proactive\nprocedures were identified.\n\nIn addition, developing comprehensive security plans was identified as a material\nweakness finding in the \xe2\x80\x9cReport on the Federal Communications Commission, Fiscal\nYear 2000, Financial Statements\xe2\x80\x9d, dated June 27, 2001. The correction of this deficiency\nwill be tracked for timely response as well as how effectively developed the security\nplans are for FCC\xe2\x80\x99s major applications.\n\nFCC is in the beginning stages of developing security plans. It is recommended that in a\nsubsequent review year, the status of security plan development be assessed.\n\nQuestion #12 - Describe how the agency has integrated its information and information\ntechnology security program with its critical infrastructure protection responsibilities, and\nother security programs (e.g., physical and operational).\n\nOIG response to Question #12 - The FCC\xe2\x80\x99s security program environment is governed\nby the Computer Security Program Directive 1479.1. The provisions of the directive\napply to all FCC employees and contractors who use a computer system or access\ncomputer generated data to conduct business on behalf of the FCC. The directive\ndiscusses safeguard measures to be taken for computer related information systems\nprocessing or containing sensitive and Commission critical data. The directive should\nalso be used as a minimum standard for safeguarding other non-sensitive information\nprocessed or stored on FCC computer equipment.\n\nIt is the policy of the FCC that computer systems, sensitive and mission critical\ninformation, and facilities that promote the process of such information shall be used for\nofficial agency/government business only, and shall be secured to at least the minimum\nlevel of security defined in directive 1479.1 and other related FCC directives. FCC users\n\x0c                                                                               Page 19 of 24\n\n\nmust not store national security classified information on FCC computer systems, unless\nspecifically authorized by the Associate Managing Director \xe2\x80\x93 Operations, Personnel\nSecurity Office. A copy of each authorization must be forwarded to the Computer\nSecurity Officer.\n\nThe FCC also maintains an \xe2\x80\x9cInformation Security Manual\xe2\x80\x9d for classified information. In\nChapter 1, Section 4, Purpose and Applicability, it is stated that the regulations establish\nuniform Commission policies, standards, criteria and procedures for the classification,\nsafeguarding, downgrading and declassification of National Security Information, and\nprovide for oversight and administrative sanctions for violations. The regulations are\napplicable to all Commission headquarters and field activities. It further states in\nChapter 2, Section 1, Security Classification Designations, that information or material\nthat requires protection against unauthorized disclosure in the interest of national security\nshall be classified in one of three designations, namely: \xe2\x80\x9cTop Secret,\xe2\x80\x9d \xe2\x80\x9cSecret,\xe2\x80\x9d or\n\xe2\x80\x9cConfidential.\xe2\x80\x9d The markings \xe2\x80\x9cFor Official Use Only,\xe2\x80\x9d and \xe2\x80\x9cLimited Official Use\xe2\x80\x9d shall\nnot be used to identify classified information. Moreover, no other term such as\n\xe2\x80\x9cSensitive,\xe2\x80\x9d \xe2\x80\x9cConference,\xe2\x80\x9d \xe2\x80\x9cAgency\xe2\x80\x9d or \xe2\x80\x9cCommission\xe2\x80\x9d shall be used in conjunction with\nthe authorized classification designations to identify national security information.\nClassification cannot be used to conceal violations of law, inefficiency, or administrative\nerror, to prevent embarrassment, nor to restrain competition.\n\nThe Commission\xe2\x80\x99s policy on the handling of non-public information is stated in FCC\n(draft) Directive 1139. The purpose of (draft) directive 1139 is to establish policies and\nprocedures for managing and safeguarding non-public information. These procedures are\nnecessary to protect the integrity of the Commission\xe2\x80\x99s decision-making process and to\nensure public confidence in the agency\xe2\x80\x99s ability to protect proprietary and other similar\nmaterial. Unauthorized disclosure of non-public information is prohibited by the\nCommission\xe2\x80\x99s rules and unauthorized disclosure of non-public information may result in\ndisciplinary action. In the case of contractors, unauthorized disclosure may result in\ntermination of the contract, replacement of a contract employee, or other appropriate\nmeasures.\n\nThe above topics are introduced to users of FCC\xe2\x80\x99s computers in the Security Awareness\nOrientation that is provided monthly to all new users of the general support system. A\nUser Access Acknowledgement form is required to be signed at the completion of\ntraining to provide assurance that users are aware of their information security\nresponsibility. The policy for use of computer resources as stated on the User\nAcknowledge Form is:\n\nAs an employee or contractor of the Federal Communications Commission (FCC), you\nare required to be aware of, and comply with, the FCC\xe2\x80\x99s policy on all usage and security\nof computer resources.\n\nThe specific topics covered on the form are:\n\n\xe2\x80\xa2   Responsibility for all actions performed with a users personal user ID\n\x0c                                                                               Page 20 of 24\n\n\n\xe2\x80\xa2   Policy, Standards and Procedures that must be followed.\n\xe2\x80\xa2   Advising the user to control the information they access\n\xe2\x80\xa2   Proper use of the FCC computer resource is the user\xe2\x80\x99s responsibility\n\nPhysical Security Program\n\nThe FCC Directive 1479.1, Section 14, provides a topic on Physical Security and\nComputer Equipment Handling. The policy states that the offices and work areas where\nFCC computer systems are located must be physically secured when unattended. The\npolicy further states that adequate controls should be employed consistent with the value,\nexposure and sensitivity of the information and equipment that is to be protected. The\npolicy advised that although the value of a computer can be significant, the value or\nimportance of the information, can be far greater.\n\nThe Commission houses two data centers that are located on separate floors within the\n445 12th Street, SW, Washington, DC, headquarters facility. The data centers are\ndesignated as sensitive areas, therefore, the access is controlled by issuing access to those\npersonnel who must have access to the data centers.\n\nCard keys must be used upon entry and exit to the FCC headquarters facility. All visitors\nmust sign in, receive a visitor badge, and must also pass through the metal detector\napparatus to complete the screening process. The elevator lobbies on each floor have\naccess control points that restrict visitors from using their badge to enter the FCC work\narea. To enter an FCC work area, the visitor must be escorted by a holder of an FCC\nemployee badge or contractor badge. A formally documented physical security policy\nneeds to be developed.\n\nOperational Security Program\n\nThe Commission\xe2\x80\x99s operational security program safeguards the critical infrastructure\nthrough its personnel security and suitability manual policy; through the logical access\ncontrols to FCC\xe2\x80\x99s general support systems and major applications, and through having\ncontingency plans for continuity of FCC\xe2\x80\x99s business operations.\n\nPersonnel Security/Suitability Manual (draft)\n\nThe purpose of the FCC Personnel Security/Suitability Manual (Manual) is to provide\nguidance and a basic understanding of the responsibilities, duties, and assignments for the\nFCC\xe2\x80\x99s Personnel Security and Suitability Program. The FCC\xe2\x80\x99s practice and policy is to\nemploy and retain individuals who are found suitable for Federal employment in order\nfor the FCC to complete its operations, goals, and missions. Every appointment,\nincluding contractor positions, shall be made subject to investigative processing.\n\nThe FCC\xe2\x80\x99s Security Operations Center (SOC) maintains a personnel/suitability file on\neach individual. The SOC is the main repository for all security information and the SOC\nmaintains a Personnel Security database/file. Privacy Act and Freedom of Information\n\x0c                                                                              Page 21 of 24\n\n\nact requests for security information is referred to the SOC for direct response to the\nrequestor. The personnel security/suitability file consists of the individual\xe2\x80\x99s completed\nStandard Form 85, or 86 that is applicable to the designated position risk/sensitivity level.\nThese forms may be destroyed after completion of the OPM report of investigation and\nafter the Security Officer certifies and dates the Certification of Investigation (CIN). The\nfile also consists of a copy of the Position Risk Designation Record with the OF 8,\nPosition Description.\n\nInitially, the Commission\xe2\x80\x99s Human Resources Management Office designates all FCC\npositions as to the position\xe2\x80\x99s risk/sensitivity level using the Office of Personnel\nManagement\xe2\x80\x99s Position Risk Designation System upon receiving a position description\nfrom the Bureaus/Offices. The SOC reevaluates HRM\xe2\x80\x99s initial designation determination\nto ensure accuracy and consistency in the FCC\xe2\x80\x99s Personnel Security and Suitability\nProgram. The SOC has the final decision on all position risk/sensitivity level\ndesignations.\n\nContingency Planning\n\nThe security plans for major applications and general support systems contains a section\non contingency planning. The objective is to provide procedures that will permit the\norganization to continue essential functions if information technology support is\ninterrupted. The procedures (contingency plans, business continuity plans, and continuity\nof operations plans) should be coordinated with the backup contingency, and recovery\nplans of any major application. The contingency plans should ensure that interfacing\nsystems are identified and contingency/disaster planning coordinated.\n\nAlso in place as an operational control is the \xe2\x80\x9cTechFest\xe2\x80\x9d meeting, which is held every\nday at 8:30 AM. The TechFest meeting is a forum to discuss the issues of the day or the\nproblems that may have come up over night. The attendees are from the Information\nTechnology Center with a representative from each area of support.\n\nQuestion #13 - Describe how the specific methods (e.g., audits or inspections) used by\nthe agency to ensure that contractor provided services (e.g., network or website\noperations) or services provided by another agency are adequately secure and meet the\nrequirements of the Security Act, OMB policy and NIST guidance, national security\npolicy, and agency policy.\n\nOIG response to Question #13\n\nPrivate Sector Agreements\n\nThe Commission\xe2\x80\x99s Office of the Managing Director, Information Technology Center,\nmade a computer security facility site visit inspection to J.P. Morgan/Chase Bank in New\nYork City, NY. The purpose of the site visit was to perform a cursory review of the\nfacility to ensure that an adequate baseline security posture was in place prior to the\ntransfer of FCC information to the contract facility. A second objective of the site visit\n\x0c                                                                             Page 22 of 24\n\n\nwas to verify that the FCC was about to engage in a bona-fide professional business\nversus a type of business where adherence to security policy might not be a business\npriority.\n\nFCC computer security policies have no exclusionary provision, but are applicable to\ncomputer systems and information/applications containing FCC information for which\nthe FCC is the legal custodian. The boundaries of responsibility apply whether the\nprocessing services are performed at a FCC facility or by a contracted vendor. More and\nmore Federal government work is being performed by contractors. When these\norganizations are under contract with the FCC, the contract must specify adherence to the\nFCC Computer Security Program Directives. In addition, before entering into an\nagreement to process or handle sensitive information at a contractor facility, a security\nassessment of the facility should be conducted, or should have been completed within the\nprevious three years. The results of the analysis will be made available to the Contracting\nOfficer and the Computer Security Officer for review.\n\nThe contract should specify that FCC reserves the right to perform on-site inspections\n(announced/unannounced) of the site where FCC information is being processed. The\ninspections are used as a tool to ensure adherence to FCC\xe2\x80\x99s computer security directive\nand policies, and other applicable Federal regulations and mandates.\n\nThe target facility for the site visit inspection was J.P. Morgan/Chase Bank, Capital\nMarket Fiduciary Services, 450 West 33rd Street, New York, NY. The following\nrepresents a list of the security controls that were in place at the target facility:\n\n\xe2\x80\xa2   Physical Safeguards at the facility\n       o Picture ID assigned to each person working for J.P. Morgan/Chase Bank;\n       o Guests are required to sign in/out when visiting J.P. Morgan/Chase Bank\n           facilities;\n       o 24/7 guard services are provided at the facility\n       o Guard monitoring station in place with displaced cameras throughout the\n           building with centralized monitoring;\n       o Fire alarms installed throughout the building, which alarm locally; and\n       o Sprinkler fire suppression system installed throughout the building.\n\n\xe2\x80\xa2   Storage Vault Safeguards\n       o Diebold card access with picture ID assigned to each person who is granted\n           permission to access the document storage vault;\n       o Magnetic locking systems installed on all doors accessible to the vault;\n       o Slab-to-slab walls installed in the vault;\n       o No raised floors installed in the vault; and\n       o Motion detection system installed in the vault with alarming to guard station.\n\n\xe2\x80\xa2   Computer-based Loan Processing System (Mortgage Collateral System (MCS))\n      o NT v.4.0 platform;\n      o Appropriate use banner displayed at each user login session;\n\x0c                                                                              Page 23 of 24\n\n\n       o   Running Norton Anti-Virus software (updated routinely);\n       o   Screen saver use mandatory;\n       o   10 minute automatic timeout feature when connected to MCS; and\n       o   Internet System Security (ISS) is used to provide system level intrusion\n           detection capabilities.\n\n\xe2\x80\xa2   Other in-place safeguards consisted of:\n       o System Development Life Cycle;\n       o Policy on computer security and system usage;\n       o Encryption use policy, includes the use of connect direct, MQ Security and\n           DES;\n       o Computer Security Awareness Training is provided to all J. P. Morgan/Chase\n           Bank employees (e.g., user level awareness, technical level, system custodian\n           and local user level);\n       o Hot site contingency planning facility located at 4 New York Plaza. Site can\n           be occupied within 24 hours and is equipped with similar physical and\n           environment security controls as in place at the 450 West 33rd Street facility;\n           and\n       o System level backup are performed routinely (e.g., intro-day, nightly and\n           weekly) and stored on DLTs using a centrally located disk farm.\n\nThe cursory review of the site visit inspection provided verification that security controls\nthat are physical, logical, and computer-based, appear to be in place. Although the\nsecurity controls were not tested for reliability, discussions with respective program\nmanagers were held.\n\nAgreements with Federal Agencies\n\nThe Commission has entered into Memorandum of Understanding, Memorandum of\nAgreement and Interagency Agreement with agencies that provide service to the FCC.\nHowever, the Commission has not performed an audit or inspection of these contracted\nservicing agencies. The following cross-servicing agreements have been developed:\n\n\xe2\x80\xa2   The Federal Communications Commission and the US Department of Interior,\n    Bureau of Reclamation, Administrative Services Center (ASC) have entered into a\n    Memorandum of Understanding. The ASC provides processing services and\n    operations support to the FCC on the Federal Financial System (FFS).\n\n\xe2\x80\xa2   The Federal Communications Commission and the National Business\n    Center/Products and Services (NBC/PS), Office of the Secretary, have entered into a\n    Memorandum of Understanding. The NBC/PS provides detail database conversion of\n    the Nortridge Loan System (NLS) from Sybase to Oracle, configuration setup,\n    implementation, ongoing database administration and security administration services\n    and support to the FCC.\n\x0c                                                                             Page 24 of 24\n\n\n\xe2\x80\xa2   The Federal Communications Commission and the US Department of Agriculture\n    have entered into a Memorandum of Agreement. The USDA provides payroll and\n    personnel data processing services and telecommunications access to the USDA\n    mainframe to the FCC.\n\n\xe2\x80\xa2   The Federal Communications Commission and the Department of Interior Franchise\n    Fund, National Business Center (DOI/NBC) have entered into an Interagency\n    Agreement. The DOI/NBC provides software maintenance and NBC Help Desk\n    support for the FCC implementation of the Interior Department Electronic\n    Acquisition System \xe2\x80\x93 Procurement Desktop (IDEAS-PD) to the FCC.\n\nThe agreements mentioned above (MOU, MOA, IA) are with Federal government agency\nservice centers. Some of these agreements were entered into as early as June 1989.\nAlthough an implied trust relationship exists between agencies who provide cross-\nservicing, a review of the audits and/or inspections performed on the contracted servicing\nagency needs to be enforced.\n\nQuestion #14 \xe2\x80\x93 Each agency head, working with the CIO and program officials, must\nprovide the following information to OMB by October 31, 2001. Provide a strategy to\ncorrect security weaknesses identified through the annual program reviews, independent\nevaluations, other reviews or audits performed throughout the reporting period, and\nuncompleted actions identified prior to the reporting period. Include a plan of action with\nmilestones that include completion dates that: 1) describes how the agency plans to\naddress any issues/weaknesses; and 2) identifies obstacles to address known weaknesses.\n\nOIG response to Question #14 - This question is not applicable to the OIG per OMB\nreporting instructions.\n\x0c'